Edward Roozenburg: DORA, a finish yet to be determined

October 10, 2023

^{This column was originally written in Dutch. This is an English translation.}

By Edward Roozenburg, Risk Management Consultant at Probability & Partners

It is common knowledge to most in the pension sector: the Digital Operations Resilience Act came into effect on January 1, 2023 and pension funds have until January 1, 2025 to comply with it. As 2025 approaches, time pressure increases.

As an ISO at a pension fund, I noticed this myself last summer. I was startled during my vacation when the director asked how far we had progressed with preparing for the Digital Operations Resilience Act (DORA). I was able to reassure him, but to be honest I couldn't give him a proper answer.

And three months later I still can't. I cannot yet make a solid baseline measurement about what the fund still has to do before 2025. Only when the detailed effect of the DORA on all subjects is known can I start working on it. And we're still waiting for that. What impact can you expect as a pension fund and what can you do in advance to prepare?

What is already known?

Although the details are still pending, the main features of the DORA are known. The DORA is made up of five pillars:

1. Pension funds must have comprehensive IT risk management, which includes identifying, classifying and documenting all IT-related business functions. They must also have a management body that is involved in IT risk management and has sufficient IT expertise.
2. Pension funds must report all IT-related incidents that could endanger their business continuity or financial stability to the competent authorities.
3. Pension funds must conduct regular tests to assess and improve their digital operational resilience. These tests should be based on realistic scenarios and take into account the potential impact of IT disruptions on financial markets.
4. Pension funds must ensure that their outsourcing partners also meet the requirements of the DORA. They must have an outsourcing policy that identifies, manages and mitigates the risks of outsourcing. They must also keep records of all their outsourcing contracts.
5. Pension funds must work with other financial institutions and regulators to share information about IT threats, vulnerabilities and best practices.

What is the impact?

Some of my colleagues expect that the impact will not be too bad overall. After all, many funds have already largely implemented DNB's Good Practice Information Security. This would have already made many preparations for the DORA. But others point out that the DORA is much more detailed in its requirements. Furthermore, DNB's monitoring of information security at funds showed that on average it does not yet meet the required maturity level set by DNB in ​​the Good Practice.

Finally, the Good Practice Information Security will soon (probably this autumn) be adjusted. This will be further tightened and, as far as known, the DORA will be incorporated into this. Compliance with current Good Practice alone is therefore certainly no guarantee that DORA will be complied with.

More specifically, there will be work to be done for many funds on the following points:

1. The board of the fund will be ultimately responsible for IT management. The board must assign tasks, become a client for audits and have a strategy for digital operational resilience. This also means that board members must regularly follow specific training courses that are commensurate with managing IT risk.
2. Clear information security objectives with critical risk and performance indicators should be formulated. In general, within information security, the goal is to guarantee reliability, integrity and confidentiality. The DORA adds authenticity to this. It will be a challenge to translate this into a measurable performance indicator.
3. IT incidents must be reported if they meet a certain definition. Probably at DNB or NCSC. This must be done within set deadlines. It is therefore important to make agreements with your IT suppliers about the speed with which they report to the fund that something has gone wrong.
4. Digital operational resilience must be demonstrable. So you will have to test your IT. You can think of pen testing, red-teaming and the like, but perhaps also of the operation of other control measures, such as contingency, backup and recovery. In practice, this probably means that it must be clear which controls have been set up, that they must be tested and what the results are.
5. There must be an information register in which all IT agreements are included (not just the critical outsourcing chains, as is currently the case). That is also the contract for the digital doorbell that I have seen with some funds. Requirements are also imposed on contracts with IT service providers.

What can you do now?

So what can you pick up now?

1. Anticipate the above points in advance. If you have to appoint new directors, consider their IT knowledge in your procedure. If you want to revise your IT policy, make sure that the relevant main points from the DORA are immediately included. Pick up pen testing if you haven't already.
2. Take a quick look at how your business operations are doing based on the main points of the DORA. Once the details are known, you can perform your gap analysis more quickly.
3. Make sure you have the assessment of your outsourcing partners in order and ask IT suppliers in your periodic evaluations how they prepare for elements of the DORA.

The point remains that only once the full details of the DORA are known will it be truly clear what still needs to be done. The finish is still yet to be determined, but you already know which way to go.

Just to be clear: we do this to increase digital resilience throughout Europe. This gives us more certainty that pensions will 'normally' be paid out on time, the transition to the new system will take place without cyber incidents and that everyone will receive the correct amount in their piggy bank. I can only applaud the fact that we are now implementing these improvements in cybersecurity with the DORA.

Probability & Partners is a Risk Advisory Firm that provides integrated risk management and quantitative modeling solutions to the financial sector and data-driven enterprises.